Univention Bugzilla – Bug 54307
Boolean attributes cannot be synced with the ID-Connector
Last modified: 2023-03-30 11:24:43 CEST
While trying to sync boolean attributes with the ID-Connector an error is returned by the receiving Kelvin-API: Kelvin REST API returned status 400, reason 'Bad Request' (Unprocessable Entity: {'pwdChangeNextLogin': 'The property pwdChangeNextLogin has an invalid value: Value must be of type boolean not unicode.'} for PUT 'https://schulcloud.intranet/ucsschool/kelvin/v1/users/testuser'.
Probably a problem in the data chain: The Appcenter Listener Converter writes a string value into the JSON that the ID Connector uses. The UDM REST API expects a boolean. (The error message from Kelvin is just a forwarded error from the UDM REST API.) The problem would then be, that the Appcenter Listener Converter uses a different interface (UDM basic -> all strings) than the Docker container apps use (UDM REST API -> typed values). If this hypothesis is verified, a discussion/bug should be opened to change the Appcenter Listener Converter.
For completeness: Manual creation with 'udm_properties": {"pwdChangeNextLogin": true}' does work, so the problem occurs indeed in the data chain. This is the corresponding UDM REST API log: 06.01.22 17:19:07.799 ADMIN ( WARN ) : u'pwdChangeNextLogin': Value=u'1' 'BooleanType' WARNING:tornado.access:422 PATCH /udm/users/user/uid=testuser,cn=lehrer,cn=users,ou=SchuleA,dc=schulcloud,dc=intranet (127.0.0.1) 25.24ms 06.01.22 17:19:07 WARNING ( 19403) : 422 PATCH /udm/users/user/uid=testuser,cn=lehrer,cn=users,ou=SchuleA,dc=schulcloud,dc=intranet (0.0.0.0) 23.52ms Upon looking into the out queue your assumption looks plausible: { "action": "add_mod", "dn": "uid=testuser,cn=lehrer,cn=users,ou=SchuleA,dc=mydomain,dc=intranet", "object": { "pwdChangeNextLogin": "1", ... } Is this sufficient to file a bug against the Listener Converter?
A customer plugin can resolve the issue: Add a method like _handle_attr_disabled() [1] to a plugin class derived from the Kelvin plugin [2]. The code of the plugin should be similar to: ----------------------------------------------------------------- class MyKelvinPerSAUserDispatcher(KelvinPerSAUserDispatcher): @staticmethod async def _handle_attr_MY_PROPERTY(obj: ListenerUserAddModifyObject) -> bool: """Pass on state of 'MY_PROPERTY'.""" return obj.object["MY_PROPERTY"] == "1" class MyKelvinUserDispatcher(UserDispatcherPluginBase): """ Send current state of user to target system (school authority). Each out queue has its own :py:class:`KelvinPerSAUserDispatcher` instance which handles user data for the queues school authority. """ plugin_name = "my-kelvin" per_s_a_handler_class = MyKelvinPerSAUserDispatcher class MyKelvinHandler(KelvinHandler): plugin_name = "MY-kelvin" def __init__(self): super().__init__() self.user_handler = MyKelvinUserDispatcher() plugin_manager.register(MyKelvinHandler(), MyKelvinHandler.plugin_name) ----------------------------------------------------------------- Install that file in /var/lib/univention-appcenter/apps/ucsschool-id-connector/conf/plugins/plugins/ and use in the connector configuration "my-kelvin" instead of "kelvin". [1] https://git.knut.univention.de/univention/components/ucsschool-id-connector/-/blob/master/src/plugins/packages/ucsschool_id_connector_defaults/user_handler_base.py#L223 [2] https://git.knut.univention.de/univention/components/ucsschool-id-connector/-/blob/master/src/plugins/plugins/kelvin_handlers.py
A better solution would be to add a feature to the ID Connector that lets customers add mapping functions like "_handle_attr_MY_PROPERTY()" without the need to create their own plugin with three subclasses.
Added additional information and set Waiting Support together with Dirk Schnick.
This workaround does not work for us anymore in production and since today in our test environment! Since upgrading to UCS 5 no school authorities are gathered: "Ignoring object without current or previous school authority entries".
New ticket added another customer escalated the problem yesterday.
A patch for the Appcenter exists in Bug 54773, that will add typed UDM properties to the JSON that is dumped into Docker containers. The bug has to be discussed with and implemented by the Appcenter team.
The bug was fixed & qa't in gitlab. The id-connector version 2.2.5 will only be available for 5.0 https://univention-dist-jenkins.k8s.knut.univention.de/job/UCSschool-5.0/view/Daily%20Tests/job/UCSschool%20ID%20Connector/391/console
Version 2.2.5 was released -> verify
Updates for UCS@school ID Connector 2.2.5 have been released. https://docs.software-univention.de/ucsschool-id-connector/HISTORY.html If this error occurs again, please clone this bug.